Re: Clemson tigernet a success for NM with WPA Enterprise

From: "Darren Albers" <dalbers gmail com>
To: "Bill Moss" <bmoss clemson edu>
Cc: networkmanager list <networkmanager-list gnome org>
Subject: Re: Clemson tigernet a success for NM with WPA Enterprise
Date: Wed, 19 Mar 2008 15:40:57 -0400
I would congratulate you but I am still annoyed by SC losing to
Clemson this year!  ;-)

Your instructions can be used for anyone connecting to a wireless
access point using PEAP and WPA except for the certificate which needs
to be changed to match what the back-end radius server offers.   So
thank you for posting this!

I have an Aruba Controller in my lab this week so I have been playing
with various EAP types in Network Manager and so far the following
have worked:
EAP-TLS with WPA+TKIP and WPA2+AES
PEAP with WPA+TKIP and WPA2+AES

I did not test WPA+AES or WPA2+TKIP since I don't think either are
valid according to the WPA standard.   If I am incorrect someone can
let me know and I will test again.  I also didn't bother testing
Dynamic WEP but I probably could if there is an interest.   I plan on
testing EAP-TTLS soon.

These tests were run using NM 6.5 and 6.6 with an Atheros based card
on Ubuntu Gutsy and Hardy systems.

Thanks!

On Wed, Mar 19, 2008 at 3:06 PM, Bill Moss <bmoss clemson edu> wrote:
> Today I did a further study of the certificate based authentication. I
>  discovered that my NetworkManager connections to tigernet yesterday were
>  ignoring certificate validiation so I went back and fixed that.
>
>
>  Tests run on a T61 running a fully updated Windows XP, fully updated
>  Fedora 8 with update kernel-2.6.24.3-34.fc8.x86_64,
>  NetworkManager-0.7.0-0.6.7.svn3370.fc8.x86_64, and
>  wpa_supplicant-0.5.7-21.fc8.x86_64.
>
>
>
>  WPA Enterprise/PEAP/MSCHAPv2: PEAP is the second most widely supported
>  EAP after EAP-TLS. It is similar to EAP-TTLS, however, it requires only
>  a server-side CA certificate to create a secure tunnel to protect the
>  user authentication. PEAP/MSCHAPV2 uses MSCHAPV2 for authentication.
>
>  The certificate which validates tigernet.clemson.edu is signed by an
>  Entrust.net Secure Server CA root certificate. Newer Windows XP machines
>  already have this root certificate and five others Entrust.net root
>  certificates installed. Older Windows XP machines, will have this root
>  certificate installed as soon as they login to the Clemson network. All
>  six Entrust.net root certificates can be installed on older Windows XP
>  machines by installing the optional package "Root Certificates Update"
>  from Windows Updates.
>
>  The Windows XP configuration provided for TSPs works:
>
>  Network name (SSID): WPA
>  Data encryption: AES
>  EAP type: Protect EAP (PEAP)
>  Check: Validate server certificate
>  Connect to these servers: tigernet.clemson.edu
>  Check two Entrust.net Secure Server Certificate Authority checkboxes
>  Uncheck: Automatically use my Windows login name and password.
>
>  A scan on the second floor of Martin O showed 26 access points, six of
>  which were broadcasting the SSID tigernet. Here is the scan data for the
>  strongest one
>
>  Cell 16 - Address: 00:0F:90:7B:32:D4
>                    ESSID:"tigernet"
>                    Mode:Master
>                    Frequency:2.462 GHz (Channel 11)
>                    Channel:11
>                    Quality=77/100  Signal level=-57 dBm  Noise level=-93
>  dBm
>                    Encryption key:on
>                    IE: WPA Version 1
>                        Group Cipher : TKIP
>                        Pairwise Ciphers (2) : TKIP CCMP
>                        Authentication Suites (1) : 802.1x
>                    IE: IEEE 802.11i/WPA2 Version 1
>                        Group Cipher : TKIP
>                        Pairwise Ciphers (2) : TKIP CCMP
>                        Authentication Suites (1) : 802.1x
>                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s
>                              11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
>                              48 Mb/s; 54 Mb/s
>                    Extra:tsf=000001018bd13a0d
>
>  On the Linux side, most users are going to be using wpa_supplicant or
>  NetworkManager/wpa_supplicant. wpa_supplicant uses the openssl libraries
>  and openssl has its own distribution specific certs directory for
>  storing certificate files. On Fedora 8, all six of the Entrust.net root
>  certificates are in the bundle /etc/pki/tls/certs/ca-bundle.crt. The
>  file /etc/pki/tls/cert.pem is symbolic link to this bundle.
>
>  The Entrust Secure Server CA root certificate which validates the
>  tigernet certificate can also be downloaded from
>
>  http://www.entrust.net/developer/index.cfm  --> Download Root
>  Certificates --> Personal Use --> Download Certificates --> download
>  entrust_ssl_ca.der
>
>  Convert to pem format
>
>  # openssl x509 -inform der -in entrust_ssl_ca.der -out entrust_ssl_ca.pem
>
>  Copy entrust_ssl_ca.pem to /etc/pki/tls/certs
>
>
>  In Fedora 8, I first tested using wpa_supplicant and found the following
>  wpa_supplicant.conf file works. This is a standard configuration file. I
>  only had to determine which peaplabel to use.
>
>
>  wpa_supplicant.conf
>  ctrl_interface=/var/run/wpa_supplicant
>  ap_scan=1
>
>  network={
>        ssid="tigernet"
>        scan_ssid=1
>        key_mgmt=WPA-EAP
>        eap=PEAP
>        identity="bmoss"
>        password="xxxxxxxx"
>        phase1="peaplabel=0"
>        phase2="auth=MSCHAPV2"
>  #        ca_cert="/etc/pki/tls/certs/entrust_ssl_ca.pem"
>
> }
>
>  I ran 'wpa_supplicant -Dwext -iwlan0
>  -c/etc/wpa_supplicant/wpa_supplicant.conf -ddd' with the -ddd to see the
>  debug output.
>
>  It works!
>
>  Comments:
>  1. phase1="peaplabel=1" does not work.
>  2. wpa_supplicant connects with or without a cert file specified
>  3. wpa_supplicant does not appear to use the bundle ca-bundle.crt by
>  default. If this file is removed, wpa_supplicant can still connects.
>
>
>  I then configured tigernet in NetworkManager:
>
>  Network Name: tigernet
>  Wireless Security: WPA & WPA2 Enterprise
>  Authentication: Protected EAP (PEAP)
>  CA Certificate: /etc/pki/tls/certs/entrust_ssl_ca.pem
>  PEAP Version: 0
>  Inner Authentication: MSCHAPv2
>  User Name: bmoss
>  Password: xxxxxxxx
>
>  It works!
>
>  Comments:
>  1. CA Certificate: /etc/pki/tls/cert.pem (symbolic link to
>  /etc/pki/tls/certs/ca-bundle.crt)  <-- does not work
>  2. CA Certificate: /etc/pki/tls/certs/ca-bundle.crt  <-- does not work
>
>
>
>  --
>  Bill Moss
>  Alumni Distinguished Professor
>  Mathematical Sciences
>  Clemson University
>
>  _______________________________________________
>  NetworkManager-list mailing list
>  NetworkManager-list gnome org
>  http://mail.gnome.org/mailman/listinfo/networkmanager-list
>
References:
- Re: Clemson tigernet a success for NM with WPA Enterprise
  - From: Bill Moss
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]